From f253158ae7407fd1b7eaa9abe7de46f09d582b55 Mon Sep 17 00:00:00 2001 From: Thomas Schweiger Date: Thu, 16 Oct 2025 15:58:43 +0200 Subject: [PATCH 1/2] fix: fix #104 - LDAP userPassword attribute can be read without auth --- config/ldap/init-ldap-acls.sh | 26 ++++++++++++++++++++++++++ config/ldap/ldif/50_acls.ldif | 12 ++++++++++++ idm/ldap-keycloak.yml | 2 ++ 3 files changed, 40 insertions(+) create mode 100755 config/ldap/init-ldap-acls.sh create mode 100644 config/ldap/ldif/50_acls.ldif diff --git a/config/ldap/init-ldap-acls.sh b/config/ldap/init-ldap-acls.sh new file mode 100755 index 0000000..67c6bfc --- /dev/null +++ b/config/ldap/init-ldap-acls.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +set -eu + +# load OpenLDAP environment and functions +. /opt/bitnami/scripts/libopenldap.sh + +trap ldap_stop EXIT + +# start LDAP in background +ldap_start_bg + +# wait until LDAP is started +while ! ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=admin,dc=opencloud,dc=eu" >/dev/null 2>&1; do + echo "Waiting for LDAP to start..." + sleep 1 +done + +# apply acls +echo -n "Applying acls... " +ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/etc/schema/50_acls.ldif +if [ $? -eq 0 ]; then + echo "done." +else + echo "failed." +fi + diff --git a/config/ldap/ldif/50_acls.ldif b/config/ldap/ldif/50_acls.ldif new file mode 100644 index 0000000..0384f10 --- /dev/null +++ b/config/ldap/ldif/50_acls.ldif @@ -0,0 +1,12 @@ +# OpenCloud ldap acl file which gets applied during the first db initialisation +dn: olcDatabase={2}mdb,cn=config +changetype: modify +replace: olcAccess +olcAccess: {0}to dn.subtree="dc=opencloud,dc=eu" attrs=entry,uid,objectClass,entryUUID + by * read +olcAccess: {1}to attrs=userPassword + by self write + by * auth +olcAccess: {2}to * + by dn.base="uid=admin,ou=users,dc=opencloud,dc=eu" write + by * none diff --git a/idm/ldap-keycloak.yml b/idm/ldap-keycloak.yml index e7a418a..038b049 100644 --- a/idm/ldap-keycloak.yml +++ b/idm/ldap-keycloak.yml @@ -54,6 +54,8 @@ services: volumes: - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif + - ./config/ldap/ldif/50_acls.ldif:/opt/bitnami/openldap/etc/schema/50_acls.ldif + - ./config/ldap/init-ldap-acls.sh:/docker-entrypoint-initdb.d/init-ldap-acls.sh - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh - ldap-certs:/opt/bitnami/openldap/share - ldap-data:/bitnami/openldap From c689b262759a46821c9022bc3147ab253fa29cd5 Mon Sep 17 00:00:00 2001 From: Thomas Schweiger Date: Thu, 23 Oct 2025 16:03:35 +0200 Subject: [PATCH 2/2] fix: change acls and how to apply them --- config/ldap/init-ldap-acls.sh | 17 +---------------- config/ldap/ldif/50_acls.ldif | 3 --- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/config/ldap/init-ldap-acls.sh b/config/ldap/init-ldap-acls.sh index 67c6bfc..8141a20 100755 --- a/config/ldap/init-ldap-acls.sh +++ b/config/ldap/init-ldap-acls.sh @@ -1,26 +1,11 @@ #!/usr/bin/env bash set -eu -# load OpenLDAP environment and functions -. /opt/bitnami/scripts/libopenldap.sh - -trap ldap_stop EXIT - -# start LDAP in background -ldap_start_bg - -# wait until LDAP is started -while ! ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=admin,dc=opencloud,dc=eu" >/dev/null 2>&1; do - echo "Waiting for LDAP to start..." - sleep 1 -done - # apply acls echo -n "Applying acls... " -ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/etc/schema/50_acls.ldif +slapmodify -F /opt/bitnami/openldap/etc/slapd.d -b cn=config -l /opt/bitnami/openldap/etc/schema/50_acls.ldif if [ $? -eq 0 ]; then echo "done." else echo "failed." fi - diff --git a/config/ldap/ldif/50_acls.ldif b/config/ldap/ldif/50_acls.ldif index 0384f10..5698f73 100644 --- a/config/ldap/ldif/50_acls.ldif +++ b/config/ldap/ldif/50_acls.ldif @@ -7,6 +7,3 @@ olcAccess: {0}to dn.subtree="dc=opencloud,dc=eu" attrs=entry,uid,objectClass,ent olcAccess: {1}to attrs=userPassword by self write by * auth -olcAccess: {2}to * - by dn.base="uid=admin,ou=users,dc=opencloud,dc=eu" write - by * none